TreasureDAO Marketplace Zero-Price Bug

On March 3, 2022, the Arbitrum NFT ecosystem TreasureDAO had its marketplace exploited — approximately 100+ NFTs (~$1.4M) purchased for effectively zero MAGIC. The marketplace's buy function did not validate that the computed total price was non-zero for a given quantity, so an attacker could buy listed NFTs while paying nothing.

What happened

TreasureDAO's marketplace buyItem computed totalPrice = pricePerItem * quantity. By submitting a quantity of zero (or a value that made the total price round/compute to zero) while still triggering the NFT transfer, the attacker received the listed NFTs without transferring MAGIC. Hundreds of NFTs were drained from active listings before the marketplace was paused.

Aftermath

• TreasureDAO paused the marketplace and worked with the community on a restitution plan.
• A number of NFTs were returned by white-hats and recovered; partial restitution followed.

Why it matters

TreasureDAO is a clean input-validation case — a function that performs an asset transfer must validate that every economically-meaningful parameter is in a sane range, including the degenerate cases (zero quantity, zero price) that no legitimate user would ever submit. The same "validate the degenerate case" lesson appears at MonoX (swap a token for itself) and across the catalogue. NFT marketplaces are a recurring instance because their price math (price × quantity, royalties, fee splits) has more arithmetic edge cases than a simple transfer, and the edge cases are exactly where the value leaks.